1. 技术文章
  2. Site in Azure Websites fails processing of X509Certificate2

Site in Azure Websites fails processing of X509Certificate2

一曲冷凌霜 提交于 2019-11-30 06:34:00

问题


I have site in Azure Websites (not Hosted Service) and I need processing .pfx certificates with private key there. 

var x509Certificate2 = new X509Certificate2(certificate, password);

But I was faced with follow exception:

System.Security.Cryptography.CryptographicException: The system cannot find the file specified.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

In article http://blog.tylerdoerksen.com/2013/08/23/pfx-certificate-files-and-windows-azure-websites/ I have found that it happens because by default the system uses a local directory of user to store the key. But Azure Websites have no local user profile directory. In the same article author propose to use X509KeyStorageFlags.MachineKeySet flag.

var x509Certificate2 = new X509Certificate2(certificate, password, X509KeyStorageFlags.MachineKeySet);

But now I have other exception:

System.Security.Cryptography.CryptographicException: Access denied.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx)
   at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData, String password, X509KeyStorageFlags keyStorageFlags)

Can anybody help me to understand why it happens and how to fix it?


回答1:


I guess you found a workaround, but if others are struggling with this, I found the answer to this in another SO question:

How can constructing an X509Certificate2 from a PKCS#12 byte array throw CryptographicException("The system cannot find the file specified.")?

The magic is specifying the X509KeyStorageFlags storage flags. Example:

var myCertificae = new X509Certificate2(
    certificateData,
    securePasswordString,
    X509KeyStorageFlags.MachineKeySet | 
    X509KeyStorageFlags.PersistKeySet | 
    X509KeyStorageFlags.Exportable);



回答2:


Azure Websites now has native support for installing certificates to the certificate store. Have you given that a shot?

Details here: http://azure.microsoft.com/blog/2014/10/27/using-certificates-in-azure-websites-applications/




回答3:


Azure Websites run in a shared environment. I am assuming that the constructor for the certificate is attempting to create some temporary information on the instance and it does not have permission to.

You may have to upgrade to a hosted service in order to run in an elevated context and perform this work.

Also, have you validated that the password is correct? If it doesn't require a password, you at least have to pass string.Empty to the constructor. Passing in a NULL value would also cause this exception.




回答4:


I had exactly the same problem, and struggled many hours for fixing it. In the article that you mention the last stack call is to the function LoadCertFromFile, but in your (and my) case it is LoadCertFromBlob.

So I looked for LoadCertFromBlob and found this:

Why does X509Certificate2 sometimes fail to create from a blob?

The solution was to go in IIS and change the application pool identity from "ApplicationPoolIdentity" to "LocalService", so that the certificate is loaded in right local folder.




回答5:


In Azure Websites / Web App / Mobile App - you have to use App Service Plan that allwos you to import SSL certificate - so it shoud not be a Free or Shared. You can import not only SSL certificate, but also for an example code signing cerificate and use it in signtool or from PowerShell.

I used this method in https://vmplace.eu/

If you try to use a Free or Shared plan you receive error - so in Azure in these Plans there is other version of .NET framework.

You can refer to this project also: https://github.com/onovotny/SignService

mvpbuzz



来源:https://stackoverflow.com/questions/18959418/site-in-azure-websites-fails-processing-of-x509certificate2

标签
c#
azure
azure-web-sites
x509certificate2
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!